WannaCry shows we need to understand why organizations don't patch

Posted by   Martijn Grooten on   May 17, 2017

For the past few days, the world of Infosec on Twitter has tried to find as many ways as possible of saying "we told you so".

To be fair, it's true – we did tell you so: for years we have warned of the dangers of not patching, of not keeping backups, and of running services one doesn't really need. Infosec does indeed have a pretty good track record of predicting the most serious cyber attacks. Unfortunately, it achieves this by constantly predicting doom, so that eventually it ends up being right.

Remember, for example, the 2015 vulnerability found in the Stagefright Android library? "In the worst case scenario, the exploit could be turned into a worm of a size not seen for a very long time," I wrote in a blog post, echoing what everyone else was saying around that time. Yet, despite the still deplorable state of Android patching, we have yet to see such a worm. In fact, I am not aware of any use of the Stagefright vulnerability in the wild. Stagefright isn't an exception: most vulnerabilities, even many of those that sound really bad, are rarely, if ever, exploited in the wild.


So maybe the question we should be asking about WannaCry is not "why do so many organisations allow unpatched machines to exist on their networks?" but "why doesn't patching work reasonably well most of the time?".

Indeed, not patching may well be the most effective short-term strategy. With a few exceptions, such as browser plug-ins and open-source CMSs, exploitation of vulnerabilities right after they have been patched is rare. It may actually be more common to encounter problems arising from patches that go wrong.

Of course, patching is the sensible long-term approach, even if one can spend years running out-of-date systems before something as bad as WannaCry hits. A dedicated security team can help make patching a mostly painless procedure. Such teams aren't cheap though, and this, together with the price of some more advanced security products, may be the real issue: many organizations simply don't have the money we believe they should be spending on security. Repeatedly labouring the point that they should spend the money anyway may not always be the most effective approach.

When I was putting together the programme for VB2017, I wanted to include a number of talks by people who could provide a view from organizations that don't have lots of cash to throw at the security problem; I am pleased that the programme, which went live earlier this month, does indeed include several such talks.


Most relevant to WannaCry is the talk by Jelena Milosevic, who works as a hospital nurse and has a passion for security; she is thus very well qualified to provide a behind-the-scenes view of healthcare security. But I am just as much looking forward to hearing Claus Cramon Houmann, who will talk about his time as a CISO for a small bank, and will share how to achieve 'minimum viable security' on a small budget.

Claus-Houmann-web.jpgClaus Cramon Houmann will talk about his time as a CISO for a small bank.

I am also looking forward to the presentation by Tyrus Kamau (Euclid Consultancy), who will talk about the state of cybersecurity in Kenya. It will be interesting to see how different, or maybe how similar, the threat landscape is in a country that has less money to spend in general, and thus less on security in particular. Maybe tighter budgets have made people more inventive and not necessarily less secure.

Another group that doesn't have a lot of money is 'civil society': NGOs, human rights activists, journalists, and so on. Many of them are volunteers or work for little money; they certainly don't have the funds to get a well-paid CISO or to spend on fancy and probably very effective security tools. Claudio Guarnieri, currently working for Amnesty International, but also one of the people behind the open-source Cuckoo Sandbox, will talk about the threats these people and organizations are facing.

If you're reading this, you probably work in security. It is your job to tell others how to make their systems more secure – and please continue to do so! But don't forget also to listen to those fighting security in the real world, and to make an effort to understand the constraints they operate under.

VB2017 will take 4-6 October in Madrid, Spain. Registration is now open - register before 30 June 2017 to qualify for the early bird rate!




Latest posts:

VB2019 paper: APT cases exploiting vulnerabilities in region-specific software

At VB2019, JPCERT/CC's Shusei Tomonaga and Tomoaki Tani presented a paper on attacks that exploit vulnerabilities in software used only in Japan, using malware that is unique to Japan. Today we publish both their paper and the recording of their…

New paper: Detection of vulnerabilities in web applications by validating parameter integrity and data flow graphs

In a follow-up to a paper presented at VB2019, Prismo Systems researchers Abhishek Singh and Ramesh Mani detail algorithms that can be used to detect SQL injection in stored procedures, persistent cross-site scripting (XSS), and server‑side request…

VB2020 programme announced

VB is pleased to reveal the details of an interesting and diverse programme for VB2020, the 30th Virus Bulletin International Conference.

VB2019 paper: Cyber espionage in the Middle East: unravelling OSX.WindTail

At VB2019 in London, Jamf's Patrick Wardle analysed the WindTail macOS malware used by the WindShift APT group, active in the Middle East. Today we publish both Patrick's paper and the recording of his presentation.

VB2019 paper: 2,000 reactions to a malware attack – accidental study

At VB2019 cybercrime journalist and researcher Adam Haertlé presented an analysis of almost 2000 unsolicited responses sent by victims of a malicious email campaign. Today we publish both his paper and the recording of his presentation.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.